11-01-2001 05:19 PM - edited 02-21-2020 11:28 AM
Hi
I am starting to build peer to peer vpn from a 1720 route to PIX 515. We already have vpn clients to PIX515 setup and is working. After setup peer to peer vpn site, I get debug info(please see following info 2). Who can tell me what's for "IPSEC(validate_transform_proposal): proxy identities not supported
ISAKMP: IPSec policy invalidated proposal
ISAKMP (0): SA not acceptable!" ?
On the route, if show crypto ipsec sa, I can get info:(please following info 1) do you think (0.0.0.0/0.0.0.0/1/0)is for proxy identities and makes problem, how to clean up it?
1. show crypto ipsec sa
interface: Ethernet0
Crypto map tag: nolan, local addr. 66.x.x.x
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/1/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/1/0)
current_peer: 12.x.x.x
PERMIT, flags={origin_is_acl,}
.........
local crypto endpt.: 66.x.x.x, remote crypto endpt.: 12.x.x.x
path mtu 1500, media mtu 1500
current outbound spi: 0
.......
local ident (addr/mask/prot/port): (10.20.x.x/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.30.x.x/255.255.255.0/0/0)
current_peer: 12.x.x.x
PERMIT, flags={origin_is_acl,}
.......
local crypto endpt.: 66.x.x.x, remote crypto endpt.: 12.x.x.x
path mtu 1500, media mtu 1500
current outbound spi: 0
...........
2). debug info from PIX
ISAKMP (0): processing SA payload. message ID = 2967232329
ISAKMP : Checking IPSec proposal 1
ISAKMP: transform 1, ESP_DES
ISAKMP: attributes in transform:
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 3600
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
ISAKMP: authenticator is HMAC-MD5
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= 12.x.x.x, src= 66.x.x.x,
dest_proxy= 0.0.0.0/0.0.0.0/1/0 (type=4),
src_proxy= 0.0.0.0/0.0.0.0/1/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
IPSEC(validate_transform_proposal): proxy identities not supported
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= 12.x.x.x, src= 66.x.x.x,
dest_proxy= 0.0.0.0/0.0.0.0/1/0 (type=4),
src_proxy= 0.0.0.0/0.0.0.0/1/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
IPSEC(validate_transform_proposal): proxy identities not supported
ISAKMP: IPSec policy invalidated proposal
ISAKMP (0): SA not acceptable!
......
thanks
ben
11-02-2001 08:02 AM
It sounds like your dynamic crypto map is picking up the peer-to-peer session. Make sure your dynamic map ID is higher than any other peer-to-peer crypto map ID. The ID is used as a priority, so the lowest crypto map ID will be checked against that transform first.
11-02-2001 11:32 AM
Hi Joels
After change id 50 to 10 for peer map, that error fixed. I got debug info from PIX, please see following..... From debug info, tunnel looks at ok, but I still cannot ping or make any connection from both side. what do you think? I have aaa RADIUS runnig,peer to peer how to pass RADIUS check? Or do I have to do disable RADIUS for peer network? I still got retransmitting phase 2... or phase 1 from both side debug info, what do you think?
I have access-list permit for 10.20.0.0 and 10.30.0.0 network.
Thank you very much!
Ben
ISAKMP (0): Creating IPSec SAs
inbound SA from 66.x.x.x to 12.x.x.x (proxy 10.20.0.0 to 10.30.0.0)
has spi 867901758 and conn_id 4 and flags 4
lifetime of 3600 seconds
lifetime of 4608000 kilobytes
outbound SA from 12.x.x.x to 66.x.x.x (proxy 10.30.0.0 to 10.20.0.0)
has spi 329093523 and conn_id 3 and flags 4
lifetime of 3600 seconds
lifetime of 4608000 kilobytesIPSEC(key_engine): got a queue event...
IPSEC(initialize_sas): ,
(key eng. msg.) dest= 12.x.x.x, src= 66.x.x.x,
dest_proxy= 10.30.0.0/255.255.255.0/0/0 (type=4),
src_proxy= 10.20.0.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac ,
lifedur= 3600s and 4608000kb,
spi= 0x33bb213e(867901758), conn_id= 4, keysize= 0, flags= 0x4
IPSEC(initialize_sas): ,
(key eng. msg.) src= 12.x.x.x, dest= 66.x.x.x,
src_proxy= 10.30.0.0/255.255.255.0/0/0 (type=4),
dest_proxy= 10.20.0.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac ,
lifedur= 3600s and 4608000kb,
spi= 0x139d9193(329093523), conn_id= 3, keysize= 0, flags= 0x4
return status is IKMP_NO_ERROR
ISAKMP (0): retransmitting phase 2...
11-07-2001 10:24 AM
Yup same problem here! I am doing a similar setup with a PIX 515 and a 7204. I also have a bunch of dynamic clients connecting just fine to my PIX.
Also if anyone knows how to get the Unified Client to work behind a NATed firewall/router (Netscreen 100) let me know! Thank!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide